[
https://issues.apache.org/jira/browse/GUACAMOLE-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18021268#comment-18021268
]
Nick Couchman commented on GUACAMOLE-2140:
------------------------------------------
[~oerunf] I've got a couple of clarification questions for you:
* What do you mean by "Not globally enabled" vs. "Globally enabled"? Do you
mean as part of "Phase 1" that you do not have the TOTP extension loaded at
all? Or something else? I ask because I don't know of a way to "globally"
switch TOTP on or off aside from loading (or not) the TOTP extension.
* When you say '"Automated user creation", can you clarify what process you're
using for this? I ask this because, the only built-in way that Guacamole
supports "automated user creation" is by enabling that for the JDBC module,
where users authenticated in one module will be automatically added to the JDBC
module. I suspect maybe you mean, "Scripted, API-based creation of user
accounts?"
> API support for persisting TOTP disable attributes when TOTP is globally
> enabled
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2140
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2140
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-auth-jdbc, guacamole-auth-totp
> Environment: Guacamole Version: 1.6.0
> Deployment: Docker containers with two-phase deployment
> Authentication: Database with TOTP extension
> Reporter: Tom P
> Priority: Minor
>
> h2. Summary
> Requesting API support for persisting TOTP disable attributes when TOTP is
> globally enabled, avoiding database workarounds during automated deployment.
> h2. Use Case: Automated Deployment
> Our deployment scenario requires:
> * {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
> * {*}API automation user{*}: TOTP disabled for programmatic access
> * {*}Custom admin user{*}: TOTP enabled for interactive use
> This configuration enables automation workflows that cannot handle
> interactive TOTP challenges.
> h2. Current Problem
> Automated installed is done in 2 phases
> # Automated user creation with TOTP disabled attribute
> # Enabling TOTP
> When TOTP is *not globally enabled* ('Phase 1'), the REST API correctly
> processes TOTP disable attributes:
> {code:python}
> # This approach WORKS during Phase 1 (TOTP not globally enabled)
> api_attributes = {"guac-totp-disabled": "true"}
> client.create_user(api_user, api_pass, api_attributes)
> client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
> {code}
> However, when TOTP is *globally enabled* ('Phase 2'), the TOTP module
> *overwrites/removes* the disable attribute:
> {code:sql}
> -- Before Phase 2 (TOTP globally enabled):
> username | attribute_name | attribute_value
> eiguacadmin-api | guac-totp-disabled | true
> -- After Phase 2 (TOTP globally enabled):
> username | attribute_name | attribute_value
> eiguacadmin-api | guac-totp-key-confirmed | true
> eiguacadmin-api | guac-totp-key-secret | ABC46UT52UQHC4P3LW5FZYQ4IN7JXYZ
> -- guac-totp-disabled attribute was REMOVED
> {code}
> h3. Root Cause
> The TOTP module does not respect existing {{guac-totp-disabled}} attributes
> when TOTP is enabled globally - it forces enrolment and removes disable flags.
> h2. Current Workaround
> Database manipulation is required to restore the disable attribute:
> {code:sql}
> -- Restore the disable attribute
> INSERT INTO guacamole_user_attribute (user_id, attribute_name,
> attribute_value)
> VALUES (user_id, 'guac-totp-disabled', 'true')
> ON DUPLICATE KEY UPDATE attribute_value='true';
> -- Clear forced enrolment
> DELETE FROM guacamole_user_attribute
> WHERE user_id = user_id
> AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
> {code}
> h2. Proposed Improvement
> Modify the TOTP module to respect existing {{guac-totp-disabled}} attributes
> when global TOTP is enabled
> h2. Benefits
> * Eliminates need for database workarounds
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
